PYA Principal Barry Mathis is quoted in the recently published Report on Medicare Compliance, which covers a new law where providers must report ransomware payments to the Department of Homeland Security. The requirements are a provision of the recently signed 2022 Consolidated Appropriations Act. The article, “New Law Requires Disclosure of Ransomware Payments; CMS Plans Outreach on End of PHE,” says hospitals will be required to report cyber breaches within 72 hours, and ransomware payments within 24 hours.
Article Excerpt
Although the legislation is the government’s attempt to get a better fix on the prevalence of ransomware payments, mandatory reporting runs counter to the culture at many organizations, Mathis said. “The knee-jerk reaction at most hospitals is, ‘Let’s keep this quiet.’” They hope to deal with the cybercriminal version of a “reputable” hacker—paying the ransom, unlocking their data and keeping it off the dark web. But the federal government is “stepping in and saying it’s tired of people paying ransom,” which the FBI believes has “created an epidemic of ransomware attacks,” Mathis said. “If bad actors get paid, it’s a business for them.”
Read the full article on the Health Care Compliance Association’s (HCCA) COSMOS, an online platform for easy access to the latest compliance information.
If you would like assistance with cybersecurity, or any matter involving IT needs, our comprehensive risk management program, Overwatch, addresses all elements of IT infrastructure, process assessments, data governance, and risk management. One of our executive contacts would be happy to assist. You may email them below, or call (800) 270-9629.
